Bug#662969: yabause: Hardening flags not enabled

Simon Ruderich simon at ruderich.org
Wed Mar 7 16:59:06 UTC 2012 

Package: yabause
Version: 0.9.11-1
Severity: important
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The hardening flags are missing because export LDFLAGS += in
debian/rules overwrites the default hardening flags; additionally
the build system ignores CFLAGS/CPPFLAGS.

DEB_*_MAINT_APPEND is the preferred way to set additional flags
(see man dpkg-buildflags for more information). For more
hardening information please have a look at [1], [2] and [3].

The following patch fixes the missing LDFLAGS and CPPFLAGS (only
in combination with the attached patch).

    diff -Nru yabause-0.9.11/debian/rules yabause-0.9.11/debian/rules
    --- yabause-0.9.11/debian/rules 2011-11-28 09:44:43.000000000 +0100
    +++ yabause-0.9.11/debian/rules 2012-03-07 17:44:32.000000000 +0100
    @@ -1,8 +1,12 @@
     #!/usr/bin/make -f
     # -*- makefile -*-
    
    -LDFLAGS+=-Wl,-z,defs -Wl,--as-needed
    -export LDFLAGS
    +# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
    +# missing (hardening) flags.
    +export DEB_CFLAGS_MAINT_APPEND   = $(shell dpkg-buildflags --get CPPFLAGS)
    +export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
    +
    +export DEB_LDFLAGS_MAINT_APPEND  = -Wl,-z,defs -Wl,--as-needed
    
     %:
            dh $@

The attached patch updates the build system to respect the
hardening flags, necessary for CFLAGS and CPPFLAGS. I'm not sure
if this patch is correct because I have no experience with CMake,
please check if it's correct.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):

    $ hardening-check /usr/bin/yabause-qt /usr/bin/yabause-gtk
    /usr/bin/yabause-qt:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/yabause-gtk:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

yabause has an executable stack which might cause security
problems. But I'm not sure if this is required by the program -
if it's not adding -Wl,-z,noexecstack to DEB_LDFLAGS_MAINT_APPEND
fixes that.

I haven't tested yabause with these new flags, please test it
before uploading a new package with these changes. Normally
everything works fine, but yabause uses assembly which might
cause problems.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPV5POAAoJEJL+/bfkTDL5Il4P/3hDeVpLDbpsZSgA/Z80Uwne
DOs1sdgY5uK41zXEaaf5OTlSq/tDgRCpAFxrp/kjOvvJgkD0V0+NVttCXZhHfDpu
n/K05iZ4vYE1H65nY/1SvlmImjWVNvEBf7146EyHTmn5TZKGGVtdy3HxBcEJlXvV
zoB+WpNRE8+t8WcUq1XaJ0oXByWCDRufDfMAtbPlXbrZ3nPeEUHli+BuJvG7/iJ0
cDzCHBZ9wu77aMpEhzW9o/jnKfsPBxc1YMV3KBmUiVRVjtaSI9co0mtwTvRpTTzx
CD0AloLqkPPqBSmCyXFYm1f1OEIuo8okI+A5yIOVVJCabZPyUxhepkhN2a1MYdvM
bESytOJvfpdGxM////DkTSfpoCla7W2BV27XVmIPI81Lxtvbkdx9rjGhW2k3pMJW
iRVlQNzpC/MDkDODcC+5SB2AS0GE6YiJLYXz5A4UM+16WfMWYjWOJUxdBnrckI0P
oB2ax/pbVkP7H+Zp65ht1MYnE706/lCuXq2B4+r5HBJ+M7UhE/wcYELIXUa+ldUD
5WGVrQqWN7ZnqIQMnue4A5+8PL8GbykuCspZJv4YqF6p+U4fqwzmre5upUNgzmO9
B2MnBLfNITLe/eVNBFqOlppmAwlzCnVlgl+GCYn5ZtgWpxfd3v2zQAoSKFb2vcgy
CrktHnHOO9fTGlUpGRuy
=cTu6
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 05_use_dpkg_buildflags.patch
Type: text/x-diff
Size: 1285 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120307/98b3ae1a/attachment-0001.patch>

More information about the Pkg-games-devel mailing list